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to operational consideratioiis. 



Please refer questions about this matter to Policy and Planning Section Chief Odis V, 
Rousseau or Policy and Procedures Unit Chief Patricia Collins at (202) 307-4200 or 
facsimile .(202) 307-4191. 



cc: OC, DO, OF, OD 
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Memorandum 



rtdU^^i^^ 



Subject 



POLICY; Control and Decontrol of DEA 



Sensitive Information 



(FFS; 210-03.56) REF: 99-001 



Date 



June 2, 1999 



To 



From 



/ - 



; /t/c-jr*-"^ 



All DEA Personnel 



William B. Simpkins 
Assistant Administrator 
Operational Support Division 



The attached poUcy: Control and Decontrol of DEA Sensitive Infonnation, will be 
implemented immediately. This PoHcy is issued pending the publication of au updated 
DEA Planning and Inspection Manual. 



■ 

This PoUcy supersedes all other poUcies governing control and decontrol of DEA 
sensitive information, including the DEA Planning and Inspection Manual. 
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DNCDR/ NOMCOtaCOR I 



DWCUa/NOWCOMCUR-l 






J[A^/9l 




mif 



cc: 



.Charles H. Lutz, OM 
Cynthia R. Ryan, CC 
Felix J. Jimenez, IG 
John H. Graetz, SP 



POLICY 

This policy implements the directives and procedures as set forth in the Department of 
Justice Order 2640, 2 C and the Drug Enforcement Administration Planning and 
hisp action Manual for handling, storing, transmitting, reproducing, and destruction of 
DBA Sensitive information, material and media. It also provides for oversight and 
administrative sanctions for violations. 



APPLICABILITY 



• • 



This regulation applies to all Ding Enforcement Administration Headquarters and 
Fimctional Offices. 



CONTROL AND RELEASE OF DE A SENSITIVE INFORMATION 

DEA Sensitive information is information, material or media which must be afforded a 
higher level of protection than Sensitive But Unclassified information. Controlled DEA 
Sensitive information will be stored in in a manner which wiU deny access to the general 
pubUc. Types of information to be protected under this designation are as follows: 



1 . Information and material that are kivestigative in nature, 

2. Information and material to which access is restricted by law. 

3. Information and material which are- critical to the operation and mission of DEA. 

4. Information and material the disclosure of which would violate a privileged 
relationship. 

5. Information and material relating to DEA employees* identification and/or location if 



revealing such information would negatively impact on ain operation or ihission. 

The authority to designate information, material and/or media as DEA Sensitive is 
hEnited to Country Attaches, Special Agents in Charge, Resident Agents in Charge, 
Group Supervisors and those higher in the field. Laboratory Chiefs, Section Chiefs and 
higher at Headquarters, DEA Inspectors, and to DEA Strike Force Representatives 
occupying supervisory and Uaison positions. 



I * 



A DEA employee must be approved and authorized for access to DEA Sensitive (yellow 
badged); aU non-DEA, to include foreign nationals, must have a need-to-know for the 
information^ material and/or media which is DEA sensitive. The DEA employee who 
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makes the decision to provide DEA Sensitive information to a non-DEA employee must 
obtain supervisory concurrence to release DEA Sensitive information and is responsible 
for ensuring that the non-DEA employee has access only to DEA Sensitive information 
for which he or she has a need-to-know and is made aware of the safeguarding 

• + 

procedures for information which has been designated DEA Sensitive, 



Storage requirements for DEA Sensitive ioformation, material and/or media are as 
follows: 



■BW H fil>fc»»*-MfcJ*i^^bfc^.^.^i^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^»^^^^MMi.^^ ■■|iii^ r,r,ffMim *^^^h 



In non-DEA Controlled Access Areas: 

* 

DEA Sensitive information, material and media must be stored in (1) an approved safe, 

(2) steel file cabinet equipped with a GSA-approved three position changeable lock, or 

(3) safe-type steel file container, (4) in a vault-type room or (5) in a secure, storage room 
which has been approved lAW DOT 2620,4, A non-GSA approved container may be used 
to store DEA Sensitive information provided: (1) it is a steel fiHng cabinet equipped with 
a built-in, three-position , dial-type combination lock; or (2) in an existent steel fiting 
cabinet equipped with a steel lock bar and the cabinet is secured by a GSA-approved 
changeable combination padlock. DEA Sensitive information, material or media which is 
stored as described above does not require supplemental (i,e,, alarms or guards) 
protection. 



In DEA-Contro lied Access Areas: 

* 

DEA Sensitive information, materials and media must be stored in a key-locked office, 
key-locked file cabinet (metal or wooden), key-locked desk, and/or key-locked wall 
mounted unit During non-duty hours, all DEA facilities must be secured using approved 
locks. Supplemental protection is required and may be provided by either 24-hour guard 
service or an approved Intrusion Detection System which will consist of alarm, motion 
detectors and balanced magnetic door contacts. 



In DEA-Con trolled Access Areas Approved For Open Storage Approved (OS A) 
Areas at the SECRET level: 

* 

DEA Sensitive information, materials and media which. are located in an OSA area will 

* 

be safeguarded fiom unauthorized disclosure. 



DEA Sensitive information, material or media may be removed from DEA faciUties only 
when it is necessary to meet an operational or functional requirement The officer or 
employee who removes DEA sensitive material from a DEA facUity will assume full 
responsibility for safekeeping such material. 
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DEA Sensitive information^ material or media will not be distributed outside of DEA 
except wHere there is a specific need for the information to be referred to other agencies 
for tbeir information or action. The foUowing notation will be typed, labeled or stamped 
on each DEA Sensitive document or riiedia sent to another agency: 



DEA SENSITIVE: This document is DEA property loaned to your agency for use 
by persons having a bonaflde need-to-know. This document must be stored in a 
manner which will preclude access by those persons who have no need-to-know, 
FunhTnaistntmion^ftttiraorame^^ 

prohibited. 



DEA Sensitive mfomiation, material or media which is to be transmitted to a non-DEA 
Domestic Agency must be sent Registered mail if using the U^S, Post OfBce for 
transmission. DEA Sensitive information, material or media which is mailed will be 
enclosed in two opaque envelopes. The inner envelope will be prominently marked '*DEA 
SENSITIVE'* on both the front and the back of the envelope and sealed. The imier 
envelope will be fully addressed with both the sender^s and the recipient's address. The 
outer envelope will be prepared iu the same manner except that "DEA SENSITIVE" will 
NOT be placed on the outer envelope. 



DEA Sensitive Information wiU be transmitted only by the foUowing authorized 
methods: United States Postal Registered Mail with registered mail receipt or U.S. Postal 
Express Mail service within and between the 50 states, the District of Columbia and 
Puerto Rico; U.S, Postal Service Certified Mail, or an approved continuous control 
provider, ( FedEx, DHL, Yellow Line, etc.)< DEA Sensitive information may also be 
transmitted over approved communications systems such as Firebird STU-III secure 
facsimile. DEA Sensitive infonnation, material or media may be hand-carried by 
authorized (persons with a need-to-know/yellow-badged) Department employees or 
contractors within and between the United States and its territories. 



Sidewalk Express Mail boxes vdll not be used for transmitting DEA Sensitive 
information, material or media. 



DEA Sensitive informatioii, material or media will be marked or stamped in a maimer 
which will ensure that it is easily identifiable. The front and back covers of material 
containing DEA Sensitive information will be marked at the top and bottom, on the title 
page, and on all inner pages which contain DEA Sensitive information; computer disks 
will be identified as containing X)E A Sensitive Lnfonnation when appropriate, DEA Form 
6's do not need marking in addition to that which appears on the face of the form. 



DEA Sensitive processing will be performed on computers and/or workstations which 
have been identified as approved for the processing of Sensitive But Unclassified (SBU) 
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data. DEA Sensitive data may be processed on approved stand-alone PCs which 

F 

have no peripherals (such as a modem) attach ed, are password protected with the 
screen saver feature invoked. 



DEA sensitive ioformatiorL processed on Automated Information Systems will be 
controlled and protected. An Automated Infoimation System with Sensitive But 
Unclassified and/or DEA Sensitive Information on nonremoveable media will be in a 
locked office or building during non-duty hours or be otherwise secured* to prevent loss or 
damage. 



User identification and password systems support the minimum requirements of 
accountability, access control, least privilege, and data integrity for control of DEA 
Sensitive infomiation on Automated Information Systems and media. Tie System 
Administrator or designated representative is responsible for managing generation, 
issuance, and control of all passwords. 



An AIS with remote teiminal access containing SBU data will have a "time-out** 
protection feature that automatically disconnects the remote terminal firom the computer 
after a predeteraiined period of time has passed without communication between the 
terminal and the computer. The system should make periodic, checks to verify that the 
disconnect is stiU valid. The automatic disconnect must be preceded by a clearing of the 
remote terminal's screen followed by the recording of an audit trail record for the System 
Administrator to use. The time period should not e?:ceed 15 minutes but may vary 
depending on the sensitivity of the dafa^ the frequency of use and location of the terminal, 
the strength of the audit mechanism, and other physical or procedural controls in place. 
The time-out feature is not required if a networked AIS must remain active because it is 
used as a communications device. However, physical security for the terminal will meet 
the requirements for storage of data at the highest level that could be received at the 
terminal. 



The number of log-on attempts for systems which process- SBU wiU be limited to three 
(3), at which time, access will be denied to the user. User accounts will not be reset until 
the Systems Administrator or the IS SO or designee has verified the reason for the failed 
logon attetnpts. 



All sensitive unprotected cabling and information must be confined to Drug Enforcement 
Administration sensitive areas. If the cabling or communications transit non-DEA 
controlled areas, the information will be encrypted or the cabling protected by 
appropriate conduit. The encryption for Drug Enforcement Administration Sensitive 
information will meet the requirements for Type U encryption. 
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DEA Sensitive information, material or media may be released by the Of&cial who 
authorized the original DEA Sensitive designation if it has been determined that the 
recipient(s) has a valid need-to-knoV^'. Material so designated may be released by a 
successor in the same capacity, or by the supervisory official of either. 



SBU iofoimation, material or media will be stored in locked cabinets. Reproduction of 
DEA Sensitive information will be kept to an absolute minimum consistent with 
operational requirements. Destruction of DEA Sensitive material or media will be bv 

^^ — '-' — ' — *-* — — ■■■- ■ I I r WL 1 1^^^^^^^ 



lumm 



Any employee of DEA who has knowledge of the loss or possible compromise of DEA 
Sensitive informatioii, material or media must report the circumstances to his or her 
supervisor or the cognizant security ofBcer, The report must be followed up in writing as 
soon as possible. 



A written damage assessment will be initiated by the Office Head whenever the 
compromise can be expected to cause damage to the DEA operation or mission. 



PHYSICAL SECURITY STANDARDS FOR AUTOMATED INFORMATION 
SYSTEMS PROCESSING DBA-SENSITIVE INFORMATION 

Physical security requirements must be considered and selected based on the sensitivity 
and safeguarding requirements of the data being protected as well as the assessed risk to 
the information and the risk of equipment theft, r 



1 . An Automated Information System with non-removable media will be safeguarded in a 
manner which wiU preclude access by unauthorized personnel. Generally, this will mean 
that workstations wiU be located in Controlled Access Areas, 



2- When users leave their workstations or personal computers, they wiU log-off or lock 
the keyboard and screen until reauthentication. 

3- Workstations and personal computers should mcliide a local "idle lockout/screen 
saver" feature that automatically locks the screen and keyboard. after a specified period of 
no activity and require re authentication before xmlockingthe system. 



4. Servers will be located in Controlled Access Areas, 
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5. Servers maybe placed in a COMSEC/CRYPTO room, as long as they are separated by 
One meter from the COMSEC/CRYPTO equipment. 



6. Any DEA Automated Information System installed in non-DBA controlled space must 
be protected in accordance with "DEA Policy for InstalliQg Firebird in Non-DEA 
Spaces", 



C ONT RQLLBD_ACCBSS AREA: Th e cnrnpletf; hiiildiTig-Qriacilityuindejuiirect 



physical control of the Federal Government, within which unauthorized persons are 
denied unrestricted access and are either escorted by authorized persons or are under 
continuous physical or electronic surveillance. Each site must be iadependently reviewed 
by the Cognizant Security Office to define the CAA. 



SENSITIVE BUT UNCLASSIFIED (SBU) INFORMATION IS INFORMATION 
WHICH MEETS THE FOLLOWING CRITERIA: 

SENSITIVE BUT UNCLASSIFffiD (SBU) INFORMATION IS SUBJECT TO 
CONTROLS OUTSIDE THE FORMAL SYSTEM FOR CLASSIFYING NATIONAL 
SECURITY INFORMATION. 



ALL SUCH INFORMATION MAY BE EXEMPT FROM RELEASE TO" THE PUBLIC 
UNDER THE FREEDOM OF INFORMATION ACT. 



MOST CATEGORIES OF SBU INFORMATION ARE DEFINED BY FEDERAL 
LAW. • 



PROCEDURES FOR HANDLING THE VARIOUS CATEGORIES OF SBU 
INFORMATION VARY FROM ONE AGENCY OR COMPANY TO ANOTHER, 
THIS IS DUE TO THE DIFFERENT LEGAL AND/OR REGULATORY 
REQUIREMENTS FOR EACH CATEGORY AND THE AGENCY OR 
ORGANIZATION'S IMPLEMENTATION OF THOSE REQUIELEMENTS. 



PROCEDURES FOR SAFEGUARDING SBU INFORMATION DEPEND UPON THE 
CATEGORY OF INFORMATION AND MAY VARY FROM ONE AGENCY OR • 
COMPANY TO ANOTHER. 



DEA SBU AND DEA SENSITIVE INFORMATION AND MEDIA ARE TO BE 
PROMINENTLY- LABELED AND, WHERE REQUIRED, HANDLING 
INSTRUCTIONS PROVIDED. 
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